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Abstract 

Attempts to separate the power of classical and quantum models of computation have a long history. 
The ultimate goal is to find exponential separations for computational problems. However, such separa- 
tions do not come a dime a dozen: while there were some early successes in the form of hidden subgroup 
problems for abelian groups-which generalize Shor's factoring algorithm perhaps most faithfully-only 
for a handful of non-abelian groups efficient quantum algorithms were found. Recently, problems have 
gotten increased attention that seek to identify hidden sub-structures of other combinatorial and algebraic 
objects besides groups. In this paper we provide new examples for exponential separations by consid- 
ering hidden shift problems that are defined for several classes of highly non-linear Boolean functions. 
These so-called bent functions arise in cryptography, where their property of having perfectly flat Fourier 
spectra on the Boolean hypercube gives them resilience against certain types of attack. We present new 
quantum algorithms that solve the hidden shift problems for several well-known classes of bent functions 
in polynomial time and with a constant number of queries, while the classical query complexity is shown 
to be exponential. Our approach uses a technique that exploits the duality between bent functions and 
their Fourier transforms. 

1 Introduction 

A salient feature of quantum computers is that they allow to solve certain problems much more efficiently 
than any classical machine. The ultimate goal of quantum computing is to find problems for which an 
exponential separations between quantum and classical models of computation can be shown in terms of 
the required resources such as time, space, communication, or queries. It turns out that the question about 
a provably exponential advantage of a quantum computer over classical computers is a challenging one and 
examples showing a separation are not easy to come by. Currently, only few (promise) problems giving an 
exponential separation between quantum and classical computing are known. A common feature they share 
is that, simply put, they all ask to extract hidden features of certain algebraic structures. Examples for this 
are hidden shift problems llvDHI03l . hidden non-linear structures fCSV07l . and hidden subgroup problems 
(HSPs). The latter class of hidden subgroup problems was studied quite extensively over the past decade. 
There are some successes such as the efficient solution of the HSP for any abelian group |Sho971 |Kit971 . 
including factoring and discrete log as well as Pell's equation IIHal02i . and efficient solutions for some non- 
abelian groups iFIM"'"03l IBC vD051 . However, meanwhile some Umitations of the known approaches to this 
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problem are known llHMR"'"06t and presently it is unclear whether the HSP can lend itself to a solution to 
other interesting problems such as the graph isomorphism problem. 

Most of these methods invoke Fourier analysis over a finite group G. In some sense the Fourier transform 
is good at capturing some non-trivial global properties of a function / which at the same time are hard to 
figure out for the classical computer which can probe the function only locally at polynomially many places. 
For many groups G the quantum computer has the unique ability to compute a Fourier transform for G very 
efficiently, i. e., in time log*^^^^ n, where n is the input size. Even though the access to the Fourier spectrum 
is somewhat limited, namely via sampling, it nevertheless has been shown that this limited access can be 
quite powerful. Historically, the first promise problems which tried to leverage this power were defined for 
certain classes of Boolean functions: the Deutsch-Jozsa problem fDJ921 is to decide whether a Boolean 
function / : Z2 ^ Z2 that is promised to be either constant or a balanced function is actually constant 
or balanced. In the Fourier picture this asks to distinguish between functions that have all their spectrum 
supported on the frequency and functions which have no frequency component at all. It therefore comes 
as no surprise that by sampling from the Fourier spectrum the problem can be solved. Furthermore, it can 
be shown that any deterministic classical algorithm must make an exponential number of queries. However, 
this problem can be solved on a bounded error polynomial time classical machine. Hence other, more 
challenging, problems were sought which asked for more sophisticated features of the function / and were 
still amenable to Fourier sampling. One such problem is to identify r e from black box access to a linear 
Boolean function f{x) = rx, where x G 1^2- Again, in the Fourier domain the picture looks very simple as 
each / corresponds to a perfect delta peak localized at frequency r, leading to an exact quantum algorithm 
which identifies r using a single query. Classically, it can be shown that 6(n) queries are necessary and 
sufficient to identify r with bounded error. Based on the observation that a quantum computer can even 
handle the case well in which access to x is not immediate but rather through solving another problem of 
a smaller size, Bernstein and Vazirani IIBV97II defined the recursive Fourier sampling (RFS) problem by 
organizing many instances of learning a hidden linear function in a tree-like fashion. By choosing the height 
of this tree to be log n they showed a separation between quantum computers, which can solve the problem 
in n queries, and classical computers which require n^°s" queries. Soon after this, more algorithms were 
found that used the power of Fourier sampling over an abelian group, namely Simon's algorithm IISim94i 
for certain functions / : Z2 ^ Zg^^, and Shor's algorithms IISho97ll . where / was defined on cyclic groups 
and products thereof, eventually leading to the HSP. 

The idea to achieve speedups from Boolean functions themselves has obtained significantly less atten- 
tion. Recently, Hallgren and Harrow IIHH08II revisited the RFS problem and showed that other unitary 
matrices can serve the role of the Fourier transform in the definition of RFS problems. They have obtained 
superpolynomial speedups over classical computing for a wide class of Boolean functions and unitary matri- 
ces, including random unitary matrices. Together with lower bound results IIAar03l this gives a reasonably 
good understanding of the power and limitations of the RFS problem. In another important development, it 
was shown that the ability to efficiently perform Fourier transforms on a quantum computer can also be used 
to efficiently perform correlations between certain functions. In the so-called hidden shift problem defined 
by van Dam, Hallgren, and Ip llvDHI031 this was used in the context of computing a correlation between 
a black box implementation of /(x) = ^^^^> where denotes the Legendre symbol and s G Zp is a 
fixed element, and the Legendre symbol itself. The main idea behind this is that the Fourier transform of a 
shifted function picks up a linear phase which depends on the shift. Since a correlation corresponds to point- 
wise multiplication of the Fourier transforms and since the Legendre symbol is its own Fourier transform, 
the correlation can be performed by computing the Legendre symbol into the phase, leading to an efficient 
algorithm that needs only a constant number of queries. The classical query complexity of this problem is 
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polynomial in log p. 

Our results. Our main contribution is a generalization of the hidden shift problem for a class of Boolean 
functions known as bent functions |Rot76|. Bent functions are those Boolean functions for which the Ham- 
ming distance to the set of all linear Boolean functions is maximum (based on comparing their truth tables). 
For this reason bent functions are also called maximum non-linear functions^ A direct consequence of this 
is that the Fourier transform of a bent function / is perfectly flat, i.e., in absolute value all Fourier coef- 
ficients, which are defined with respect to the real valued function x are equal and as small 
as possible. This feature of having a flat Fourier spectrum is desirable for cryptographic purposes because, 
roughly speaking, such a function is maximally resistant against attacks that seek to exploit a dependence 
of the outputs on some linear subspace of the inputs. It turns out that bent functions exist if and only if the 
number of variables is even and that there are many of them: asymptotically, the number of bent functions in 

( — j V 27r2"/2 J , see for instance IICG06I . What is more, several explicit 

constructions of infinite families of bent functions are known and they are related to so-called difference sets 
which are objects studied in combinatorics. Since the Fourier transform of / is flat and the Boolean Fourier 
transform is real, it follows that (up to normalization) the Fourier spectrum takes only values ±1, i.e., 
it again is described by a Boolean function, called the dual bent function and denoted by /. Arguably, the 
most prominent example for a bent function is the inner product function ipn {xi , . . . ,Xn) = Z^"=i X2i-iX2i 
written in short as ipn{x, y) = xy^. This function can be generalized to f{x, y) = a;7r(y)* + g{y), where vr 
is an arbitrary permutation of strings of length n/2 and g : l]!^!'^ — > Z2 is an arbitrary function. This leads 
to the class of so-called Maiorana-McFarland bent functions. The dual bent function is then given by the 
Boolean function f{x,y) = ir^^{x)y'^ + g{Tr~^{x)). 

We define the hidden shift problem for a fixed bent function / as follows: an oracle O provides us with 
access to / and g, where g is promised to be a shifted version of / with respect to some unknown shift s. 
Using oracles of this kind, we show an exponential separation of the quantum and classical query complexity 
of the hidden shift problem, the former being at most linear, the latter being exponential. Furthermore, we 
also consider a variation of the problem where an oracle O in addition provides oracle access to the dual 
bent function /. We show that s can be extracted from O by a quantum algorithm using one query to / 
and one query to /. We present two other classes of bent functions, namely the partial spread class defined 
by Dillon IIDil75l and a class defined by Dobbertin ||Dob95l . which uses properties of certain Kloosterman 
sums over finite fields to show the bentness of the functions. 

What is the significance of our result? In short, we provide new examples for exponential separations 
between quantum and classical computing. The class of problems studied in this paper yields a large new 
set of problems for exponential separations in query complexity with respect to oracles. A feature of the 
quantum algorithms presented here are their simplicity in that besides classical computation of function 
values the only quantum operation required are the Fourier transform over the groups Z2 . 

How does this relate to other separations? While exponential separations in query complexity were 
known before, for instance for abelian hidden subgroup problems, the hidden shift problems for bent func- 
tions are the first problems for which such a separation can be shown from Boolean functions. In the case 
of abelian HSP for order 2 subgroups of Z2 , it is possible to assume that the functions hiding the hidden 
subgroup take the form /(x) = ir{Ax), where A G F2" is a matrix of rank n — 1, and vr is a permu- 

'Note that high nonlinearity of a function refers to the spectral characterization, i. e., the Hamming weight of the highest non- 
zero frequency component is high. It does not imply that f{x) — X],/gz" a^x'^ , when written as a multivariate polynomial over 
F2, has a high (algebraic) degree, defined as the maximum degree of any monomial x" . Indeed, there are many examples of highly 
nonlinear functions whose algebraic degree is 2. 
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tation of strings of length n — 1. The goal is to find a vector s S in the kernel of A. Note that these 
functions are not Boolean functions but rather functions from Z2 ^2 ~^- To the best of our knowledge the 
best separations that were obtainable so far from Boolean functions were the superpolynomial separations 
shown in I HH081 . Those were obtained by generalizing the ideas of recursive Fourier sampling from parity 
functions to more general classes of Boolean functions. 

Related work. The techniques used in this paper are related to the techniques used in ||vDHI03 1. in 
particular the method of using the Fourier transform thrice in order to correlate a shifted function with 
a given reference function, thereby solving a deconvolution problem. We see the main difference in the 
richness of the class of Boolean functions for which the method can be applied and the query lower bound. 

It was observed in ||FIM"'"03| Kup05| that the hidden shift problem for injective functions f,g:G^S 
from an abelian G to a set S is equivalent to hidden subgroup problem over G xi Z2, where the action of Z2 
on G is given by the inverse. There are several other papers that deal with the injective hidden shift problem 
over abelian and non-abelian groups ||CvD071 ICW07I IMRRS07II . In contrast, the functions studied here 
are defined on the abelian group and very far from being injective. As we show it will be nevertheless 
possible to define a related hidden subgroup problem over an elementary abelian group, however, for this 
we have to consider "quantum functions" to encode the period. 

Perhaps most closely related to our scenario is the work by Russell and Shparlinski IIRS04I who consid- 
ered shift problems for the case of x{f{x)), where / is a polynomial on a finite group G and x ^ character 
of G, a general setup that includes our scenario. The two cases for which algorithms were given in [RS04| 
are the reconstruction of a monic, square-free polynomial / G Fp[X], where x is the quadratic character 
(Legendre symbol) over Fp and the reconstruction of a hidden shift over a finite group x{sx), where x is the 
character of a known irreducible representation of G. The technique used in [RS041 is a generalization of 
the technique of [ vDHI03 |. In the present paper we extend the class of functions for which the hidden shift 
problem can be solved to the case where / is a multivariate polynomial and G is the group . 

Related to the hidden shift problem is the problem of unknown shifts, i. e., problems in which we are 
given a supply of quantum states of the form \D + s), where s is random, and D has to be identified. 
Problems of this kind have been studied by Childs, Vazirani, and Schulman [ CSV07I . where is a sphere of 
unknown radius. Decker, Draisma, and Wocjan [DDW 08 I, where Z) is a graph of a function, and Montanaro 
HMonOQII . where D is the set of points of a fixed Hamming- weight. The latter paper also considers the cases 
where D hides other Boolean functions such as juntas, a problem that was also studied in f AS07i In contrast 
to all these problems in our case the set D is already known, but the shift s has to be identified. 

We are only aware of relatively few occasions where bent functions have been used in theoretical com- 
puter science: they were used in the context of learning of intersections of halfspaces IIKS07II . where they 
gave rise to maximum possible number of slicings of edges of the hypercube. Also the recent counterexam- 
ple for failure of the inverse Gowers conjecture in small characteristic HLMSOSl uses a special bent function. 



2 Fourier analysis of Boolean functions 

We recall some basic facts about Fourier analysis of Boolean functions, see also the recent review article 
HdWO SI for an introduction. Let / : Z2 -^^ M be a real valued function on the n-dimensional Boolean 
hypercube. The Fourier representation of / is defined as follows. First note that for any subset S" C [n] = 
{1, . . . , n} we can define a character of via xs ■ x ^ (—1)'^^ , where x G Z2 (the transpose is necessary 
as we assume that all vectors are row vectors). The inner product of two functions on the hypercube is 
defined as (/, g) = f{x)g{x) = Kxifg). The xs are inequivalent characters of Z2 , hence they obey 

the orthogonality relation KxixsXT) = Ss,T- The Fourier transform of / is a function / : Z2 ^ M defined 
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by 

fiS) = KMxs) = ^ E Xs{x)fix), (1) 

f{S) is the Fourier coefficient of / at frequency 5*, the set of all Fourier coefficients is called the Fourier 
spectrum of / and we have the representation / = J2s f{^)xs- Two useful facts about the Fourier trans- 
form of Boolean functions are Parseval's identity and the convolution property. Parseval's identity says 
that II/II2 = Yls f(^)'^ which is a special case of {f,g) = /(5')?(5'). For two Boolean functions 
/, g : Z2 ^ M their convolution (/ * g) is the function defined as (/ * g){x) = ^ Z^yezj /(^ + y)9{y)- ^ 
standard feature of the Fourier transform is that it maps the group operation to a point wise operation in the 
Fourier domain. Concretely, this means that / * g{S) = f{S)g{S), i.e., convolution becomes point-wise 
multiplication and vice-versa. 

In quantum notation the Fourier transform on the Boolean hypercube differs slightly in terms of the 
normaUzation and is given by the unitary matrix 

This is sometimes called the Hadamard transform UNCOOI . In this paper we will also use the Fourier spec- 
trum defined with respect to the Hadamard transform which differs from ([T]! by a factor of 2~"/^. It is 
immediate from the definition of i?2" that it can be written in terms of a tensor (Kronecker) product of the 
Hadamard matrix of size 2x2, namely H2" = {H2)®"', a fact which makes this transform appealing to use 
on a quantum computer since it can be computed using 0{n) elementary operations. Also note that in the 
context of cryptography also the name Walsh-Hadamard transform for ff2" is common. 

Another note on a convention which applies when we consider Z2 valued functions / : ^ Z2. Then 
we tacitly assume that the real valued function corresponding to / is actually F : x 1— > (—1)-^*^^). The 
Fourier transform is then defined with respect to F, i. e., we obtain that 

where we use G Z2 instead of 5 C [n] to denote the frequencies. Other than this notational convention, 
the Fourier transform used in ^ for Boolean valued functions and the Fourier transform used in ([T]) for real 
valued functions are the same. In the paper we will sloppily identify f = F and it will be clear from the 
context which definition has to be used. 

3 Bent functions 

Definition 1. Let / : ^ Z2 a Boolean function. We say that f is bent if the Fourier coefficients 
I{w) = ^ X^^ez^l-l)""^*"^'^^"'-' satisfy \f{w)\ = 2~"/2/or all w G Zg, /. e., if the spectrum off is flat. 

Necessary for bent functions in n variables to exist is that n is even ||Dil75[|MS77l . If / is bent, then 
this implicitly defines another Boolean function via 2"/^/(ty) =: (— l)'^^"'). Then this function / is again a 

bent function and called the dual bent function of /. By taking the dual twice we obtain / back: f = f. 
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3.1 A first example: the inner product function 

The most simple bent function is f{x, y) := xy where x, y G Z2. It is easy to verify that / defines a bent 
function. This can be generalized to 2n variables ltMS77ll and we obtain the inner product 

n 

ipn{xi,. . .,Xn,yi, . . .,yn) ■= "^Xiyi- 

1=1 

Again, it is easy to see that ipn is bent. In Section [l!2l we will see that ipn belongs to a much larger class 
of bent functions. There (in Lemma |4l) we also establish that that ip^ = ip^ is its own dual bent function 
which also implies that the vector [(— l)*^"^^'^)]^. ^ez^i is an eigenvector of H2^. This should be compared 

to llvDHI03l where it was used that the Legendre symbol ^-^ gives rise to an eigenvector of the Fourier 
transform DFTp over the cyclic group Zp. The shift problem for the inner product function is closely related 
to the Fourier sampling problem of finding a string a that is hidden by the function /(a, x) = ax* IIBV97L 
and indeed the string a can be readily identified from the state S^ez^^C"-'-)"^ 1^)- hidden shift 

problem the problem is to identify (a, 6) from ^ yez^ (~-'^)*^"^^^"'^^^^ 1^)2/)- This state is up to a 
global phase given by ^ Zlx.yez^ (^_iyv^ +^^* +v'^^ \x,y). By computing ipn into the phase the latter can be 

mapped to ^ y^j^n (—1)^^* \x,y). From this state the string (a, h) can be extracted by applying to it 
a Boolean Fourier transform followed by measurement in the computational basis. 

3.2 Bent function families 

Many examples of bent functions are known and we briefly review some of these classes. Recall that 
any quadratic Boolean function / has the form /(xi, . . . ,Xn) = J2i<j Hj^i^j + Yli^i^i which can be 
written as f{x) = xQx* + Lx*, where x = (xi, . . . ,Xn) G '^2- Here, Q G Fg^" is an upper triangular 
matrix and L G Fg. Note that since we are working over the Boolean numbers, we can without loss of 
generality assume that the diagonal of Q is zero (otherwise, we can absorb the terms into L). It is useful 
to consider the associated symplectic matrix B = {Q + Q^) with zero diagonal which defines a symplectic 
form B{u, v) = uBv^. This form is non-degenerate if and only if rank(i?) = n. The coset of / + R{n, 1) 
of the first order Reed-Muller code is described by the rank of B. This follows from Dickson's theorem 
IIMS77I which gives a complete classification of symplectic forms over Z.^- 

Theorem 1 (Dickson). Let B G 7^2^^ be a symmetric matrix with zero diagonal (such matrices are also 
called symplectic matrices). Then there exists R G GL(n, Z2) and h G [n/2] such that RBR^ = D, where 
D is the matrix {\h ® (^x) © ^n-2h considered as a matrix over Z2 (where ax is the permutation matrix 
corresponding to (1, 2)j. In particular, the rank of B is always even. Furthermore, under the base change 
given by R the function f becomes the quadratic form iph{xi, . . . , X2h) + L'{xi, . . . , Xn) where we used 
the inner product function ip^ and a linear function L'. 

Next, we give a characterization of the Fourier transform of an affine transform of a bent function. 

Lemma 2 (Affine transforms). Let f be a bent function, let A G GL(n,Z2) and b G Zg, and define 
g{x) := f{xA + b). Then also g{x) is a bent function and g{w) = (— ^^^^ f{w{A~^Y) for all 
w G Z^. 
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Proof. We compute g{w) using the substitution y = xA + 6 as follows: 



9[w) 



= 1. ^(_l)"'-(^-')'{?/-^')*+/(2/) 

y 

y 

□ 

By combining Theorem [T] and Lemma |2] we arrive at the following corollary which characterizes the 
class of quadratic bent functions. 

Corollary 3. Let f{x) = xQx^ + Lx* be a quadratic Boolean function such that the associated symplectic 
matrix B = {Q + Q*) satisfies rank(i?) = 2h = n. Then f is a bent function. The dual of this bent function 
is again a quadratic bent function. 

A complete classification of all bent functions has only been achieved for n = 2,4, and 6 variables. 
For larger number of variables some families are known, basically coming from ad hoc constructions. We 
present another one of the known families called M (Maiorana and McFarland). First, we remark there 
are also constructions for making new bent functions from known ones, the simplest one takes two bent 
functions / and g m n and m variables and outputs (x,y) i-^ f{x) © g{y). The class M of Maiorana- 
McFarland bent functions consists of the functions f{x,y) := X7r(y)* + g{y), where vr is an arbitrary 
permutation of Z2 and g is an arbitrary Boolean function depending on y only. The following lemma 
characterizes the dual of a bent function in M. 

Lemma 4. Let f{x,y) := x'iT{yY + g{y) be a Maiorana-McFarland bent function. Then the dual bent 
function of f is given by f{x, y) = 7r^^(x)y* + g{'iT~^{x)). 



Proof. Let /(«, v) be the Fourier transform of / at (u, v) G Zg". We obtain 

1 

2^^ 

(^_l^XTT{yy+g(y)+{u,v){x,yy 



y€Z^ yezj 

y&L^ 

= J_f_l)t"r-l(«)*+(;(7r-l(«)) 

2" 

Hence the dual bent function is given by f{x, y) = 7r~^(x)y* + g{TT~^{x)). □ 
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Another class of bent functions called PS (partial spreads) was introduced by Dillon IIDil75l and provides 
examples of bent functions outside of M. 

Theorem 5. ^Dil75\l Let Ui, . . . , C/gi/a-i be n/2-dimensional subspaces ofE^ ^^(^b that Ui n Uj = {0} 
holdsfor all i ^ j. Let Xi be the characteristic function ofUi. Then f := 2_ji=i Xi bent function. 

A collection of sets Ui as in Theorem [5] is called a partial spread. Explicitly, the Ui can be chosen as 
Ui = {{x,aix) : X S ^2"/'^} where Oj S IFg'i/a satisfies g{ai) = 1 for a fixed balanced function g. Here 
we have identified with the finite field ¥2n by choosing a polynomial basis. This provides an explicit 
construction for bent functions in PS. A further class defined by Dobbertin has the property to include M 
and PS is defined as follows: first, identify with F271/2 x F2n/2. Let ghe a balanced Boolean function of 
n/2 variables, be a permutation of ¥271/2 and tp be an arbitrary map from ¥2,1/2 to ¥2,1/2 - Then 

[ : if y = 

is a bent function. 

There are other constructions of bent functions by means of so-called trace monomials. For this con- 
nection, an understanding of certain Kloosterman sums turns out to be important. Recall that the Klooster- 
man sum in Fo" is defined as Kl{a) = E^eF^^ (-l)*'^"" where F^„ denotes the non-zero elements 

of F2»i and tr denotes the trace map from F2»i to Z2. For a S F2" let fa{x) be the Boolean function 
fa{x) = tv{ax'^" ^ It is known that if a is contained in the subfield ¥2n/2 and Kl{a) = —1, then fa 
is a bent function IIDil75ll . The existence of such an element a was conjectured in Dillon's paper and was 
proved in IILW90II (see also IIHZ99II ) where its existence was shown for all n, thereby showing existence 
bent functions in this class of trace monomials. 

3.3 Other characterizations of bent functions 

Finally, we note that there are many other characterizations of bent functions via other combinatorial objects, 
in particular difference sets. The connection is rather simple: we get that Df := {x : f{x) = 1} is a 
difference set in i.e., the set AZ)j = {di — d2 : ^1,^2 G Df} of differences covers each non-zero 
element of an equal number of times. We briefly highlight some other connections to combinatorial 
objects in the following: 

Circulant Hadamard matrices. Bent functions give rise to Hadamard matrices of size 2" x 2" in a very 
natural way as group circulants as follows. Let Af := ((— l)-'^^^"'"^))^ yg^j, then / is bent if and only if 

is a Hadamard matrix, i. e, ^/^J- = nln- Another way of saying this is that the shifted functions 
X ^ (— for s G Z2 are orthogonal. Moreover, in the basis given by the columns of i/2" the matrix 
Af becomes diagonal, the diagonal entries being f{x). 

Balanced derivatives. Besides the property of Af being a Hadamard matrix another equivalent character- 
izations of / to be bent is that the function Ah{f) := f{x + h) + f{x) is a balanced Boolean function (i. e., 
/ takes and 1 equally often) for all non-zero h. 
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Reed-MuUer codes. Bent functions can also be characterized in terms of the Reed-MuUer codes IIMS77II . 
Recall that the set of all truth tables (evaluations) of all polynomials over Z2 of degree up to r in n variables 
is called the Reed-Muller R{n, r). Then bent functions correspond to functions which have the maximum 
possible distance to all linear functions, i. e., elements of R{n, 1). Quadratic bent functions in R{n, 2) are 
of particular interest. They correspond to symplectic forms of maximal rank and play a role, e. g., in the 
definition of the Kerdock codes. 

Difference sets. Finally, we note that bent functions are equivalent to objects known as difference sets in 
combinatorics, namely difference sets for the elementary abelian groups IIBJL99II . A difference set is 
defined as follows: Let G be a finite group of order v = \G\. A {v,k, A)-difference set in G is a subset 
D C G such that the following properties are satisfied: \D\ = k and the set AD = {a — b : a,b £ D,a 
b} contains every element in G precisely A times. Examples for difference sets are for instance the set 
D = {x^ : X G Fg} of all squares in a finite field. Here the group G is the additive group of Fg, where 
q = 3 (mod 4) is a prime power. The parameters of this family of difference sets is given by (g, ^^). 
Bent functions on the other hand give rise to difference sets in the elementary abelian group G = . The 
connection is as follows: Dj := {x : /(x) = 1} is a difference set in Z2 if and only if / is a bent function, 
a resuh due to Dillon llDil75l . In this fashion we obtain (2", 2"-^ ± 2("-2)/2, 2"-^ ± 2("-2)/2) difference 
sets in Z^, see also IIBJL99L 

4 Quantum algorithms for the shifted bent function problem 

We introduce the hidden shift problem for Boolean functions. In general, the hidden shift problem is a 
quite natural source of problems for which a quantum computer might have an advantage over a classical 
computer. See MCvDOSII for more background on hidden shifts and related problems. 

Definition 2 (Hidden shift problem). Let n > 1 and let Of be an oracle which gives access to two Boolean 
functions /, 17 : Zg — > Z2 such that the following conditions hold: (i) f, and g are bent functions, and (ii) 
there exist s G Z2 such that g{x) = f{x + s) for all x G Zg. We then say that Of hides an instance of a 
shifted bent function problem for the bent function f and the hidden shift s G Z2. If in addition to f and g 
the oracle also provides access to the dual bent function f, then we use the notation O ^ j to indicate this 
potentially more powerful oracle. 

Theorem 6. Let O ^ jbe an oracle that hides an instance of a shifted bent function problem for a function 

f and hidden shift s and provides access to the dual bent function f. Then there exists a polynomial time 
quantum algorithm Ai that computes s with zero error and makes two quantum queries to Oj j. 

Proof. Let / : Z2 ^ Z2 be the bent function. We have oracle access to the shifted function g{x^ = /(x + s) 
via the oracle, i.e., we can apply the map \x) |0) 1-^ \x) + s)) where s G Z2 is the unknown string. 
Recall that whenever we have a function implemented as \x) |0) 1-^ \x) |/(x)), we can also compute / into 
the phase as \J f : \x) ^ (— l)-^^^^ \x) by applying / to a qubit initialized in :^(|0) — |1)). The hidden 
shift problem is solved by the following algorithm ^1 : (i) Prepare the initial state 1 0) , (ii) apply the Fourier 
transform H®^ to prepare an equal superposition Z^ajgz" 1^) ^ inputs, (iii) compute the shifted 

function g into the phase to get ^ Exezj \x), (iv) Apply iJ®" to get \w) = 

1'"^)' (v) compute the function \w) 1— > (—!)/("') \yj^ into the phase resulting in 

^^(—1)'^^* \ w), where we have used the fact that / is a bent function, and (vi) finally apply another 
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Hadamard transform Hf^ to get the state |s) and measure s. From this description it is clear that we 
needed one query to g and one query to / to solve the problem, that the algorithm is exact, and that the 
overall running time is given by 0{n) quantum operations. A quantum circuit implementing this algorithm 
is shown in Figure [Ha). □ 

Next, we consider the situation where the oracle defines a hidden shift problem but does not provide 
access to the dual bent function. It turns out that in this case we can still extract the hidden shift with a 
polynomial time quantum algorithm, however the number of queries increases from constant to linear. 

Theorem 7. Let Of be an oracle that hides an instance of a shifted bent function problem for a function f 
and hidden shift s. Then there exists a polynomial time quantum algorithm A2 that computes s with constant 
probability of success and makes 0{n) queries to Of. 

Proof. First, note that as in Theorem[6]we can assume that the oracle computes the functions f , g : ^ 
into the phase. Furthermore, we can assume that the oracle can be applied conditionally on a bit h, i.e., 
we can apply the map Ai(C//) : \b) \x) 1— > \b) \x) if 5 = and \b) \x) ^ \h) {—l)f^'-^'> \x) if 6 = 1. 
Indeed, using a Fredkin gate Fred (see MNCOOII ) which specified by |6) |x) |y) 1-^ |6) |x) |y) if 6 = and 
|6) \x) \y) ^ \b) \y) \x) if 6 = 1, it is easy to implement Ai(t//) as follows: (Ai([//) ® I2") \b) \x) |0) = 
(Fred o (I2 ®Uf ® 12^)0 Fred) \b) \x) |0), up to a global phase. 

We prove the theorem by reducing to an abelian hidden subgroup problem in the group Zg"*"^. To do 
this, we use / and g to define "quantum functions", namely F : x ^ SyezjC"^)'^^^^^^ 1^) ^"^^ ^ ■ 
X I— > Ylyez" \y)- Observe that due to the bentness of / and g, the two functions F and G 

are injective quantum functions, i. e., they are injective complex valued functions that with respect to some 
basis, which in general might be different from the computational basis, become classical injective functions. 
Indeed, this follows from the fact that all derivatives of a bent function are balanced, see Section [3^ Now, 
a well known connection between the hidden shift problem for injective functions /, g over an abelian 
group A and a hidden subgroup problem can be used | Kup05[ lFTM"'"03ll . For this, the hidden subgroup 



problem is defined with respect to the semidirect product A xi Z2 where the action is given by inversion 
in A. In our case we have A yi Z2 = -^2 since the inversion action is trivial over Z2. The hiding 
function for the HSP over is defined as H{b, x) = F{x) if 6 = and H{b, x) = G{x) if 6 = 1. 

This defines a hidden subgroup {(0, 0), (1, s)} of order 2, knowledge of which clearly implies that we 
know s. Once we have shown how to implement the hiding function H, the algorithm will therefore be 
the standard algorithm for the HSP: (i) Prepare the initial state |0), (ii) apply the Fourier transform to 
prepare an equal superposition '^bei2 xez^ 1^) inputs, (iii) compute the function into the second 

register to get -^/=^ Ylbei2 1^' ^) ^))' (i^) '^PPly H®'"'^^ to the first register, and (v) measure 
the first register. This leads to a measurement result a G 'L^'^^ that satisfies (l,s)a* = 0. Repeating 
steps (i)-(v) a total number of 0{n) times, we get a constant probability to uniquely characterize s from 
the measurement data. Hence, the algorithm needs 0{n) queries to / and g to solve the problem and the 
overall running time is given by O(n^) quantum operations. The function H{b, x) can be implemented in 
a straightforward way using Hadamard transforms, controlled NOT operations UNCOOII . and the controlled 
oracle calls Ki{Uf) mentioned above. A quantum circuit implementing one iteration of this algorithm is 
shown in Figure [Hb). □ 

It is perhaps interesting to note that the "probabilistic method" of directly implementing / via sampling 
of / at a polynomial number of inputs and using the Chernoff bound is not sufficient for our purposes (see 
e. g., [iMan94J for the argument that ^jgj Xs{xi)f{xi) is exponentially close to / for all S for a sample set 
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(a) Quantum algorithm Ai 
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Figure 1 : Quantum algorithms for the hidden shift problem for bent functions. The quantum circuit in (a) 
implements algorithm Ai. This algorithm can be used if access to the shifted function g{x) = f{x + s) as 
well as access to the dual bent function / is given. The algorithm uses one query to g and one query to / 
and is zero-error, i. e., it always returns the hidden shift s. The quantum circuit in (b) implements algorithm 
A2- This algorithm uses access to / and g only and can be applied if access to / is not available. The shown 
circuit has to be applied 0(n) times, after which the data acquired by measuring the upper n + 1 qubits 
characterizes the hidden shift s with constant probability of success. 



/ of polynomial size). The issue is that for bent functions we would have to distinguish exponentially small 
Fourier coefficients ±1/ \/2"- We conjecture that in the worst case it takes an exponential number of queries 
to / in order to implement one query to /, but have no proof for this. 

Finally, we state the two results that provide new query complexity separations between quantum and 
classical algorithms. Our main tool is the Maiorana-McFarland class of bent functions which turns out to be 
rich enough to prove the two results. First, we show that the classical query complexity for the hidden shift 
problem over this class of bent functions is of order Q{n), while it can be solved with 2 quantum queries. 

Theorem 8. Let O ^ j be an oracle that hides a hidden shift s for an instance (/, g, f) of a hidden shift 
problem for a bent function f from Maiorana-McFarland class. Then classically 0(n) queries are necessary 
and sufficient to identify the hidden shift s. Further, there exists a recursively defined oracle Orec which 
makes calls to O j j and whose quantum query complexity is poly{n), whereas its classical query complexity 
is superpolynomial. 

Proof. The proof of the lower bound on the classical query complexity for O is information theoretic. The 
tightness of the bound follows since n bits of information about s have to be gathered and each query can 
yield at most 1 bit. To see that 0{n) are indeed sufficient, consider the following (adaptive) strategy for 
finding a shift (s, s') of g{x, y) = {x + s)7r{y + s'): first query g{x, y) on (0, 0) to extract S7r(s'). Then 
subtract this from the values at the points (e^, 0), where Cj denotes the fth standard basis vector. This gives 
the bits of vr(s'). Next evaluate f{x,y) = 7r^^(x)y* at the points (7r(s'),ei). This gives the bits of s' . 
Finally, from evaluating g at points (0, vr^^ (cj) + s') we can obtain the bits of s, i. e., the entire hidden shift 
{s,s'). 

A standard argument can be invoked IIBV97I to recursively construct an oracle which hides a function 
computed by a tree, the nodes of which are given by the oracle hiding a string s. In order to evaluate f{x) 
at a node, first a sequence of smaller instances of the problem have to be solved. We do not go into further 
detail of the construction and only note that we get the analogous result as in IIBV97I . see also IIHH08II . 
namely that a tree of height log n leads to a quantum query complexity of 2^°s ^ which is polynomial in n, 
whereas the classical query complexity is given by n^°s " which grows faster than any polynomial. □ 

The following theorem avoids the adaptive queries in the proof of Theorem [8] and uses oracles of the 
form O/ in which no queries to the dual bent function are allowed. Since the quantum computer can still 
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determine the shift in polynomial time, here an exponential separation between classical and quantum query 
complexity can be shown. 

Theorem 9. Let Of be an oracle that hides a hidden shift sfor an instance (/, g) of a hidden shift problem 
for a bent function f from Maiorana-McFarland class. Then classically 0(\/2") queries are necessary and 
sufficient to identify the hidden shift s. 

Proof. The proof is similar to the lower bound for the linear structure problem considered in f dBCW02] | and 
the query lower bound for Simon's problem IISim94ll . First, note that we can use Yao's minimax principle 
IIYao77ll to show limitations of a deterministic algorithm A on the average over an adversarially chosen 
distribution of inputs. Hence, we can consider deterministic algorithms and vr and s in the definition of 
/(x, y) = X7r(y)* and g{x, y) = f{x, y + s) will be chosen randomly. 

The distribution we chose to show the lower is to chose vr uniformly at random in , the symmetric 
group on the strings of length n, and s = (si, S2) G Zg" such that si = and S2 is chosen uniform at 
random in . The instances we consider are given by oracle access to the functions /(x, y) = X7r(y)* and 
g{x,y) = f{x,y + s) = X7r{y + s)*. Now, without loss of generality we can assume that the classical 
algorithm A has (adaptively or not) queried the oracle k = n'^^^^ times, i. e., it has chosen pairs {xi,yi) for 
i = I, . . . ,k and obtained results 

Xi-K{yiY = ai 
XiiT{yi + sY = bi. 

In order to characterize the information about s after these k queries we define set D = {xi : i = 
1, . . . , k} U {yi : i = 1, . . . , A;}. We show that if no collision between the values of / and g was produced, 
then the information obtained about s is exponentially small. To simplify our argument, we actually make 
the classical deterministic algorithm more powerful by giving oracle access to 7r(x) and 7r(x + s). Consider 
the set of all differences = {di - ^2 : ^1,^2 G D} and the set Dgood = '^2 \ Note that 

for an abelian group A and subset D C A with < |^| we can always choose a set S such that 
D n {D + s) = for all s G 5. Indeed, we can choose S = Dgood since x £ D n {D + s) would imply 
that there exist di,d2 G D with di = d2 + s, i. e., s G D^^^ which is a contradiction. Notice in our case 
that IS"! > 2" — |-D^^-*| = 2" — n'^^^\ Now, we can change the value of the shift s to any other value s' as 
long as the algorithm has not queried s directly (the chances of which are exponentially small: because of 

a birthday for the strings s, the probability is given by ^-^^). We do this by choosing vr' in such a way 

that it maps 7r(yj + s) = 7r'(yj + s') while being consistent with all other queries. Because of the above 
argument, as long as there is no collision, after i queries to /, g, we still have a set S of size l^l > 2" — n*^*^^) 
of candidates s', and vr' which are also consistent with the sampled data, showing the lower bound. □ 

Corollary 10. There exists an oracle O implementing a Boolean function such that P'^ 7^ BQP'^. 

5 Conclusions 

We introduced the hidden shift problem for a class of Boolean functions which are at maximum distance 
to all linear functions. For these so-called bent functions the hidden shift problem can be efficiently solved 
on a quantum computer, provided that we have oracle access to the shifted version of the function as well 
as its dual bent function. The quantum computer can extract the hidden shift using just one query to these 
two functions and besides this only requires to compute the Hadamard transform and measure qubits in 
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the standard basis. We showed that this task is significantly more challenging for a classical computer and 
proved an exponential separation between quantum and classical query complexity. 



Acknowledgments 

The author gratefully acknowledges support by ARO/NSA under grant W91 lNF-09-1-0569 and would like 
thank the anonymous referees for valuable comments on this paper and earlier versions of it. 

References 

[Aar03] S. Aaronson. Quantum lower bound for recursive Fourier sampUng. Quantum Information and 
Computation, 3 (2): 165- 174, 2003. 

[AS07] A. Atici and R. Servedio. Quantum algorithms for learning and testing juntas. Quantum Infor- 
mation Processing, 6(5):323-348, 2007. 

[BCvDOS] D. Bacon, A. Childs, and W. van Dam. From optimal measurement to efficient quantum algo- 
rithms for the hidden subgroup problem over semidirect product groups. In Proceedings of the 
46th Annual IEEE Symposium on Foundations of Computer Science, pages 469^78, 2005. 

[dBCW02] N. de Beaudrap, R. Cleve, and J. Watrous. Sharp quantum versus classical query complexity 
separations. Algorithmica, 34(4):449^61, 2002. 

[BJL99] Th. Beth, D. Jungnickel, and H. Lenz. Design Theory, volume I. Cambridge University Press, 
2nd edition, 1999. 

[BV97] E. Bernstein and U. Vazirani. Quantum complexity theory. SIAM Journal on Computing, 
26(5): 141 1-1473, 1997. Conference version in Proc. STOC'93, pp. 11-20. 

[CG06] C. Carlet and Ph. Gaborit. Hyper-bent functions and cyclic codes. Journal of Combinatorial 
Theory, Sen A, 113:466^82, 2006. 

[CvD07] A. Childs and W. van Dam. Quantum algorithm for a generalized hidden shift problem. In 
Proceedings of the 18th Symposium on Discrete Algorithms (SODA'07), pages 1225-1232, 
2007. 

[CvD08] A. Childs and W. van Dam. Quantum algorithms for algebraic problems. arXiv Preprint 
0812.0380, to appear in Reviews of Modern Physics. 

[CSV07] A. Childs, L. J. Schulman, and U. Vazirani. Quantum algorithms for hidden nonlinear struc- 
tures. In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science 
(FOCS'07), pages 395^04, 2007. 

[CW07] A. Childs and P. Wocjan. On the quantum hardness of solving isomorphism problems as non- 
abelian hidden shift problems. Quantum Information and Computation, 7(5-6):504— 521, 2007. 

[vDH103] W. van Dam, S. Hallgren, and L. Ip. Quantum algorithms for some hidden shift problems. In 
Proceedings of the 14th Symposium on Discrete Algorithms (SODA'03), pages 489-498, 2003. 



13 



[DDW08] Th. Decker, J. Draisma, and P. Wocjan. Efficient quantum algorithm for identifying hidden 
polynomials. Quantum Information and Computation, 2008. To appear, see also arxiv preprint 
0706.1219". 

[DJ92] D. Deutsch and R. Jozsa. Rapid solution of problems by quantum computation. Proceedings 
of the Royal Society London, Series A, 439:553— 55S, 1992. 

[Dil75] J. Dillon. Elementary Hadamard difference sets. In F. (et al.) Hoffman, editor, Proc. 6th S- 
E Conf. on Combinatorics, Graph Theory, and Computing, pages 237-249. Winnipeg Utilitas 
Math., 1975. 

[Dob95] H. Dobbertin. Construction of bent functions and balanced Boolean functions with high nonlin- 
earity. In B. Preneel, editor. Fast Software Encryption, volume 1008 of LNCS, Springer, pages 
61-74, 1995. 

[FIM+03] K. Friedl, G. Ivanyos, F. Magniez, M. Santha, and P. Sen. Hidden translation and orbit coset in 
quantum computing. In Proc. STOC'03, pages 1-9, 2003. 

[HaI02] S. Hallgren. Polynomial-time quantum algorithms for Pell's equation and the principal ideal 
problem. In Proc. STOC'02, pages 653-658, 2002. 

[HH08] S. Hallgren and A. Harrow. Superpolynomial speedups based on almost any quantum circuit. In 

Proceedings of the 35th International Colloquium on Automata, Languages and Programming 
(ICALP'08), pages 782-795, 2008. 

[HMR+06] S. Hallgren, C. Moore, M. Rotteler, A. Russell, and P. Sen. Limitations of quantum coset states 
for graph isomorphism. In Proceedings of the 38th Annual ACM Symposium on Theory of 
Computing (STOC'06), pages 604-617, 2006. 

[HZ99] T. Helleseth and V. Zinoviev. On Z^-linewc Goethals codes and Kloosterman sums. Designs, 
Codes and Cryptography, 17:269-288, 1999. 

[Kit97] A. Yu. Kitaev. Quantum computations: algorithms and error correction. Russian Math. Surveys, 
52(6): 1191-1249, 1997. 

[KS07] A. R. Klivans and A. A. Sherstov. Unconditional lower bounds for learning intersections of 
halfspaces. Machine Learning, 69(2-3):97-114, 2007. 

[Kup05] G. Kuperberg. A subexponential-time quantum algorithm for the dihedral hidden subgroup 
problem. SIAM Journal on Computing, 35(1): 170-188, 2005. 

[LW90] G. Lachaud and J. Wolfmann. The weights of the orthogonals of the extended quadratic binary 
Goppa codes. IEEE Transactions on Information Theory, 36(3):686-692, 1990. 

[Man94] Y Mansour. Learning Boolean functions via the Fourier transform. In V. P. Roychodhury, K.- 
Y. Siu, and A. Orlitsky, eds.. Theoretical Advances in Neural Computation and Learning, pp. 
391^24. Kluwer, 1994. 

[LMS08] S. Lovett, R. Meshulam, and A. Samorodnitsky. Inverse conjecture for the Gowers norm is 
false. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC'OS), 
pages 547-556, 2008. 



14 



[MS77] F. J. Mac Williams and N. J. A. Sloane. The Theory of Error-Correcting Codes. North-Holland, 
Amsterdam, 1977. 

[Mon09] A. Montanaro. Quantum algorithms for shifted subset problems. Quantum Information and 
Computation, 9(5&6):500-512, 2009. 

[MRRS07] C. Moore, D. N. Rockmore, A. Russell, and L. J. Schulman. The power of strong Fourier sam- 
pling: quantum algorithms for affine groups and hidden shifts. SIAM Journal on Computing, 
37(3):938-958, 2007. 

[NCOO] M. Nielsen and 1. Chuang. Quantum Computation and Quantum Information. Cambridge 
University Press, 2000. 

[Rot76] O. S. Rothaus. On "bent" functions. Journal of Combinatorial Theory, Series A, 20:300-305, 
1976. 

[RS04] A. Russell and 1. Shparlinski. Classical and quantum function reconstruction via character 
evaluation. Journal of Complexity, 20(2-3):404-422, 2004. 

[Sho97] R Shor Polynomial-time algorithms for prime factorization and discrete logarithms on a quan- 
tum computer. SIAM Journal on Computing, 26(5): 1484-1509, 1997. 

[Sim94] D. R. Simon. On the power of quantum computation. In Proceedings of the 35th Annual 
Symposium on Foundations of Computer Science (FOCS'94), pages 116-123, 1994. 

[dWOS] R. de Wolf. A brief introduction to Fourier analysis on the Boolean cube. Theory of Computing 
Library-Graduate Surveys, 1:1-20, 2008. Available online from www.theoryofcomputing.org. 

[Yao77] A. Yao. Probabilistic computations: toward a unified measure of complexity. In Proceedings of 
the 18th Annual Symposium on Foundations of Computer Science (FOCS'77), pages 222-227, 
1977. 



15 



